Re: [Exim] Blocking phony MS Security update emails

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Edgar Lovecraft
Date:  
À: exim-users
Sujet: Re: [Exim] Blocking phony MS Security update emails
On Fri, 09 Jan 2004 15:19:31 Nigel Metheringham wrote:
>
> On Fri, 2004-01-09 at 15:05, Kevin Reed wrote:
> > # If the messae contains SCR or PIF we want to Log this
> > deny    log_message = DENY: ATTACHMENT ($found_extension) for $acl_m3
> >         message = Message Denied due to Content of a Unacceptable >
> Attachment type of ($found_extension) \n \
> >          Please use other means to send this type of file. \n \
> >          If you have questions please contact
> postmaster@$qualify_domain >         demime = scr:pif:exe:com:bat
> >         delay = 30s

>
> That acl requires the exiscan patch to work. Its also a remarkably
> short list of banned extensions :-)
>


--
here is a much more complete list of extensions to blocak useing the
exiscan acl patch. I run these before any virus scanning but after the
initial MIME error check; and yes, I do know that this may not help much
for those not useing exiscan.
just add this to the DATA acl:

#This is for extensions that even MS says are bad, reference this page
#   http://support.microsoft.com/default.aspx?scid=kb;EN-US;290497
deny  message = $found_extension files are not accepted here
      demime = ade : adp : asx : bas : bat : chm : cmd : com : cpl : crt \
             : exe : hlp : hta : inf : ins : isp : js : jse : lnk : mda \
             : mdb : mde : mdt : mdw : mdz : msi : msp : mst : ops : pcd \
             : pif : prf : reg : scf : scr : shb : shs : url : vb : vbe \
             : vbs : wsc : wsf : wsh : cnf : mad : maf : mag : mam : maq \
             : mar : mas : mat : mav : maw : xnk : mhtml : msc : sct


#This is for all of those CLSID extension hiding techniques
#   the regex is all one line, so be carefull about cut and past
deny  message = $found_extension files are not accepted here
      regex   = ^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-
9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$


--EAL--